Researchers at vpnMentor have published their findings after uncovering massive flaws in a popular faith app. The app in question is Pray.com, used by members of the Christian faith to pray and engage in other devotional activities. A research team led by vpnMentor’s Noam Rotem and Ran Locar found that the California-based developers misconfigured their AWS servers. What results from this is a backdoor that allows access to 262GB of data containing personal information of at least 1 million users across Android, iOS, and various browser apps. AWS misconfigurations have been the culprit in other data leaks from other organizations in the past.
Researchers believe that the maximum number of users exposed could number in the tens of millions. With some of the data, including emails linked to .mil and .gov domains, there could be far-reaching ramifications. vpnMentor uncovered the issue as a part of a larger web mapping project. Researchers found the unsecured servers via port scanning specific IP blocks and testing them for exploits. When analyzed, Pray.com was found to have easily accessible S3 buckets due to a lack of encryption and basic security practices.
Since the team at vpnMentor are white hat hackers, they immediately set out to rectify the situation by contacting Pray.com. What happened next shows blatant negligence on the part of the app’s parent company:
After our first two attempts at contacting Pray.com failed to elicit a reply, we contacted AWS directly to notify them. AWS confirmed they had informed Pray.com of the breach a few days later, but there remains no evidence that the company has attempted to resolve the issue.
Five weeks after our initial attempt to contact Pray.com, the buckets remained unsecured, but the contacts files were removed. On November 17th, after three attempts by us to reach out to Pray.com, we finally received an answer from Pray.com’s CEO. His email contained one word: “Unsubscribe.”
As vpnMentor points out in their research post, Pray.com’s headquarters’ location exposes them to specific legal action. California has stringent privacy laws, specifically the California Consumer Privacy Act. With the owners of Pray.com continuing to refuse advice from cybersecurity experts, they can face several actions such as audits and fines.
If you are a user of Pray.com’s services, the smartest thing you can do is find another app to practice your faith with, at least until it tightens its security. The individuals in charge of this app appear to have been negligent by not heeding the warnings of well-intentioned security experts. Meanwhile, they may have exposed their users to identity theft or phishing attacks.